‘Worse than Heartbleed:’ Shellshock bash bug blasts OS X systems

A new bug has muscled into virtual town, and world-leading security experts are saying it's worse than this year's Heartbleed fiasco.

Dubbed "Shellshock", the security flaw is inherent to Bash, a component of many computers' shells. This is the user interface that accesses operating systems like Command Prompt, and means that many Linux, Unix, and some BSD systems (including Apple's OS X) are vulnerable.

Worryingly, the ubiquitous nature of the bug means that a large percentage of software is engaged in constant interaction with the shell. Consequently the bug can infiltrate software in a number of different ways.

"This bug is horrible," Darien Kindlund, Director of Threat Research at FireEye, told ITProPortal. "It's worse than Heartbleed, in that it affects servers that help manage huge volumes of internet traffic. Conservatively, the impact is anywhere from 20 to 50 per cent of global servers supporting web pages.

"Specifically, this issue affects web servers using GNU BASH to process traffic from the Internet. In addition, this bug covers almost all CGI-based web servers, which are generally older systems on the Internet."

A blog post by leading security expert Robert Graham highlighted the fact that the Bash bug is as big a threat as Heartbleed, but also suggested that older systems affected by the Bash bug will most likely be unable to be patched.

"Internet of things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts," he wrote. "Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world."

More colourfully put, he elaborated that if your older system were to be infected "you are likely screwed."

Another expert from security firm Rapid7, Tod Beardsley, added that the security exploit had the highest severity rating of "10", alongside a "low complexity rating." This means that theoretically hackers could launch massive cyber attacks without too much difficulty.

Graham was keen to stir up online chatter about the threat on Twitter, later tweeting "I think I was wrong saying #shellshock was as big as #heartbleed. It's bigger."

ITProPortal will be following this story closely as it unfolds, so be sure to click the link below and subscribe to our newsletter for all the latest updates, expert comments and tips to protect yourself.